Search Results (10301 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-43158 1 Projectworlds 1 Online Shopping System 2025-10-29 4.3 Medium
In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart.
CVE-2025-8051 1 Opentext 1 Flipper 2025-10-28 6.5 Medium
Path Traversal vulnerability in opentext Flipper allows Absolute Path Traversal.  The vulnerability could allow a user to access files hosted on the server. This issue affects Flipper: 3.1.2.
CVE-2025-26352 1 Q-free 1 Maxtime 2025-10-28 6.5 Medium
A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
CVE-2025-26353 1 Q-free 1 Maxtime 2025-10-28 4.9 Medium
A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
CVE-2025-26354 1 Q-free 1 Maxtime 2025-10-28 7.2 High
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
CVE-2025-26355 1 Q-free 1 Maxtime 2025-10-28 6.5 Medium
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
CVE-2025-26356 1 Q-free 1 Maxtime 2025-10-28 7.2 High
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
CVE-2025-26357 1 Q-free 1 Maxtime 2025-10-28 4.9 Medium
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
CVE-2020-16013 2 Google, Redhat 2 Chrome, Rhel Extras 2025-10-24 8.8 High
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2017-17552 1 Zohocorp 1 Manageengine Admanager Plus 2025-10-24 8.8 High
/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.
CVE-2025-26351 1 Q-free 1 Maxtime 2025-10-24 4.9 Medium
A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
CVE-2024-7965 2 Google, Microsoft 2 Chrome, Edge Chromium 2025-10-24 8.8 High
Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2024-10448 1 Fabian 1 Blood Bank Management System 2025-10-23 4.3 Medium
A vulnerability, which was classified as problematic, has been found in code-projects Blood Bank Management System 1.0. Affected by this issue is some unknown functionality of the file /file/delete.php. The manipulation of the argument bid leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other endpoints might be affected as well.
CVE-2025-7756 1 Fabian 1 E-commerce Site 2025-10-23 4.3 Medium
A vulnerability classified as problematic has been found in code-projects E-Commerce Site 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-10605 2 Code-projects, Fabian 2 Blood Bank Management System, Blood Bank Management System 2025-10-23 4.3 Medium
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /file/request.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-10557 2 Code-projects, Fabian 2 Blood Bank Management System, Blood Bank Management System 2025-10-23 4.3 Medium
A vulnerability has been found in code-projects Blood Bank Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /file/updateprofile.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-62583 2 Naver, Navercorp 2 Whale Browser, Whale 2025-10-21 9.8 Critical
Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
CVE-2025-62585 2 Naver, Navercorp 2 Whale Browser, Whale 2025-10-21 7.5 High
Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment.
CVE-2025-31969 1 Hcltech 1 Unica 2025-10-21 4 Medium
HCL Unica Platform is impacted by misconfigured Content Security Policy (CSP). These can result in malicious resources getting loaded and browsers may come across certain types of attacks, such as cross-site scripting and clickjacking.
CVE-2025-59428 1 Espocrm 1 Espocrm 2025-10-20 5.4 Medium
EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9.